Official Catch Discussion

Official discussion thread for Catch. Please do not post any spoilers or big hints.


any hints for foothold? how to sign up ? anything else ?

Found gia_token and l*_ch**_token variables in apk files, but I think they are useless (I have not enough experience with reverse apk)
Trying to capture traffic, but nothing interesting… just get request and nothing else…
I guess that there are some significant feeds (token, users, password for other services) in apk, but I cannot find anything

Just getting started here, but the artifacts you pull from a certain file are indeed helpful. You just have to find the right way to use something. But, maybe it’s a rabbit hole since I’m just starting to look. :slight_smile:

Anyone mind DM’ing me about this box, struggling to move forward.

One of the way to analyze apk is mobsf :wink:


I found some password hash via sqli, should I crack it? It’s too slow.

I managed to get to the control panel as a user but I have trouble moving forward. I found an explanation of how the exploit should work but in my case it doesn’t really work. Any hints would be greatly appreciated! Also feel free to DM me, to avoid any spoilers for other players :slight_smile:

1 Like

Hello mate !
How did you make the sqli working on the dashboard pliz ?
I’m connected but can’t sqli any field

I don’t think it is sqli but he thinks of another way to get some data? :thinking:

1 Like

Don’t worry, you can get certain information from it without running the application :wink:

Sqli is a rabbit hole, forget it!


Foothold/user was way harder imo to do than root. If you have any issues, feel free to reach out but please let me know what you’ve already tried!

1 Like

Any Hints for foothold plz.
Been trying from Web to Local but no progress - I did find some creds but they didn’t work.

First step, use the artifacts you found from one of the first pieces that stands out and see where they work.

If you find some creds, see where you can login. Google that technology and you’ll find some good info. There’s not a step-by-step guide, so you’ll have to read in to it a bit and use a little trial and error. You’ll eventually find something to get you access to another important thing.

Hopefully that’s helpful but vague enough.

Finally rooted, personally I really don’t like this box where the author intentionally put up some rabbit holes and make certain things unworkable. :-1:

Feel free to PM for user and root.

Hint for user: When something seems not working, they just don’t work. Move on.



  • Foothold:
  1. we get an apk… just look at it to find some juicy infos
  • User:
  1. use previously juicy info to poke around and get more juicy infos
  2. connect to the app we obtained infos for and leak some content. 3 vulns are well-known → one is particularly interesting
  3. get user
  • Root:
  1. basic enumeration gives out something to study. Study it and exploit.
  2. If you ever need an apk file, use a very basic one (and not the one you got initially from the website)
1 Like

Hey everyone!

I got the juicy info and I’m able to log in the app, I understand that there are 3 vulns with an interesting blog post about them, but I’m not really familiar with the software…

Are there any blog posts or material that you recomend for understanding how to exploit the vulnerability?

Feel free to PM me in case that it is not possible to disclose this info here without spoilers :slight_smile:

One of my favorite machines so far.

  • Foothold: What’s this company’s plan for the future? What are the services running? How might they be accessed? Not every idea will work, but one of them does.
  • User: Everybody who has gotten a foothold has found the three big CVEs. Slow down and read about how they work and then experiment. You don’t need some fancy Python script or pre-built exploit, you can do it all with the tools you already have.
  • Root: There’s a certain symmetry to this hack. Imaging moving in reverse.
1 Like

Very true. Always make sure to do full enumeration on those services and you will be able to get user manually.
Root was a bit trickier, maybe check out recurring processes to direct your search.

I ended up using apktool to build a lightweight payload.